Firewall Plugins

A feature of AIF is firewall plugins that can add specific functionality outside of the core script. Firewall Plugins can be managed by selecting the Network Tab in the web interface.

Note: Some plugins are automatically enabled and configured when the corresponding feature is enabled in AstLinux. For example, if the IPSec VPN is enabled, the ipsec-vpn plugin will be automatically enabled when the firewall is restarted, regardless how ENABLED is defined in the plugin's configuration.

Below is a list of AIF firewall plugins supported in AstLinux.

adaptive-ban

This plugin parses a log file (/var/log/messages by default) for failed access noting offending IP addresses, then ban each IP address after multiple failed attempts. This is similar to how Fail2ban works, but optimized to work on embedded platforms like AstLinux.

If you allow common services, in particular SIP or SSH, from the public internet, it is highly recommended to enable this plugin.

dmz-dnat

This plugin allows forwarding of all unhandled traffic to a “DMZ” host. This implements a common feature found in residential grade routers. Note that the “DMZ” host does not necessarily have to be defined off the DMZ interface, any internal static IPv4 address will work.

This could be useful when AstLinux is primarily used as a SIP endpoint and a customer had a pre-existing router and network, an AstLinux box could be inserted before the pre-existing router and the pre-existing router's WAN port connected to AstLinux's LAN/DMZ. The pre-existing router's WAN IPv4 address could be defined as the “DMZ” host in this plugin. Any IPv4 traffic not handled by the AstLinux box itself would be redirected to the pre-existing router's WAN IPv4 address.

Not commonly used.

(IPv4-only)

dsl-ppp-modem

This implements support to access (A)DSL PPP modem internal configurations.

In cases when PPPoE is used as the transport to the modem, special firewall settings are often necessary to access the internal Web or Telnet servers used to configure (A)DSL PPP modems. Usually define MODEM_IF, MODEM_IP and MODEM_INTERNAL_NET in the plugin configuration.

Note, this plugin should not be enabled unless both, AstLinux is configured to use PPPoE and TCP/IP configuration is available in the modem.

(IPv4-only)

dyndns-host-open

This plugin provides EXT→Local firewall 'host-open' rules using hostnames (via periodic DNS lookups) rather than static IPv4 addresses.
Should the hostname resolve to multiple IPv4 addresses, a rule for each address will be opened.

If you allow common services, in particular SIP or SSH, only from public dynamic IPv4 addresses, it is highly recommended to enable this plugin and don't allow these services from the public by default.

(IPv4-only)

dyndns-ipv6-forward

Note: this plugin is not available until AstLinux 1.2.10 and later.
This plugin provides EXT→LAN firewall 'ipv6-forward' rules using hostnames (via periodic DNS lookups) rather than static IPv6 addresses.
Should the hostname resolve to multiple IPv6 addresses, a rule for each address will be opened.

Tip → A custom ddclient config may be used to publish local servers with dynamic DNS AAAA records.

(IPv6-only)

dyndns-ipv6-open

Note: this plugin is not available until AstLinux 1.2.10 and later.
This plugin provides EXT→Local firewall 'ipv6-open' rules using hostnames (via periodic DNS lookups) rather than static IPv6 addresses.
Should the hostname resolve to multiple IPv6 addresses, a rule for each address will be opened.

If you allow common services, in particular SIP or SSH, only from public dynamic IPv6 addresses, it is highly recommended to enable this plugin and don't allow these services from the public by default.

Tip → Similar functionality as the IPv4 dyndns-host-open plugin except using IPv6 with AAAA DNS records.

(IPv6-only)

ids-protection

This implements Intrusion-Detection-System (IDS) protection. It will block remote hosts trying to scan/access your system on firewalled ports.

ipsec-vpn

Automatically Enabled
This plugin adds all required rules for using the IPSec VPN.

ipv6-over-ipv4

mac-address-filter

This plugin allows you to select the MAC addresses that are allowed access for the specified internal interfaces.

Before using this plugin, instead consider Network → Configure DNS Hosts mapping allowed MAC addresses to IP addresses in a range that can be allowed using normal firewall rules. Neither of these methods are perfect or secure, but can add some useful access control.

miniupnpd

Automatically Enabled
Setup of the iptables chains that the miniupnpd daemon manages.

(IPv4-only)

multiroute

This plugin enables IP multirouting (load balancing). Note that it does not support redundant connections (fallback when one of the links is down). This is not a limitation of this plugin, but of the current Linux kernel that does not currently support that feature.

Not commonly used.

nat-loopback

Note: this plugin is not available until AstLinux 1.0.6 and later.
This plugin allows local networks to access NAT'ed hosts/ports, called NAT Loopback, using the existing NAT_FORWARD_TCP and NAT_FORWARD_UDP rules. Local nets may be able to use the external IPv4 address and port to access NAT forwarded internal servers.

(IPv4-only)

net-prefix-translation

Note: this plugin is not available until AstLinux 1.3.0 and later.
Commonly used with static assigned ULA (Unique Local IPv6 Unicast Addresses)
(RFC4193) prefixes on local networks and perform a 1:1 mapping to a
GUA (IPv6 Global Unicast Address) (RFC3587) prefix provided by your ISP.
Should the GUA prefix change, the local ULA prefix can remain the same.

(IPv6-only)

openvpn-server

Note: this plugin is not available until AstLinux 1.0.6 and later.Automatically Enabled
This plugin adds all required rules for using an OpenVPN Server.

The firewall must be enabled for the OpenVPN Server to properly function.

outbound-snat

Note: this plugin is not available until AstLinux 1.0.6 and later.
When a NAT'ed external interface has multiple IPv4 addresses, it may be desirable to specify which internal IP's or CIDR's use which external IPv4 addresses for outbound connections.

(IPv4-only)

parasitic-net

Note: this plugin is not available until AstLinux 1.3.0 and later.
This Parasitic Network plugin allows “clients” on the same subnet to use this device as a gateway upstream.
This network of “clients” is the Parasitic Network, SNAT'ed to this device's external interface(s).

This Parasitic Network is useful for situations when the upstream firewall
is not under your control and you desire added security for specific devices
in your subnet. Set the gateway address of Parasitic Network clients to an
external IPv4 address of this device.

To be effective, be certain the Parasitic Network clients are IPv4-only.

(IPv4-only)

pptp-vpn-passthrough

Note: this plugin is not available until AstLinux 1.2.5 and later.
This plugin loads the required kernel modules for PPTP VPN Clients to access remote PPTP VPN Server(s) when NAT is enabled.

(IPv4-only)

pptp-vpn

Automatically Enabled
This plugin adds all required rules for using a PPTP VPN Server.

The firewall must be enabled for the PPTP VPN to properly function.

sip-user-agent

Note: this plugin is not available until AstLinux 1.2.0 and later.
This plugin adds SIP User-Agent filtering, no packets are allowed by this plugin, only denied. This plugin monitors inbound (EXT→Local) SIP sessions on specified ports.

If SIP_USER_AGENT_PASS_TYPES is defined with a list of space separated User-Agent matches, non-matching User-Agent packets will be dropped. (Whitelist)

Otherwise if SIP_USER_AGENT_DROP_TYPES is defined with a list of space separated User-Agent matches, matching User-Agent packets will be dropped. (Blacklist)

This plugin will have no effect on TLS encrypted SIP sessions, only unencrypted SIP sessions.

sip-voip

This plugin attempts to track the RTP ports used in a SIP dialog and automatically open the necessary RTP ports when needed.

In practice this plugin does not always yield the expected results. Feel free to experiment.

When this plugin is disabled (the default) the SIP RTP ports must be manually opened to match the Asterisk rtp.conf rtpstart/rtpend values.

In general, do not enable this plugin.

ssh-brute-force-protection

This plugin implements protecting for brute force cracking by limiting the amount of connection attempts for each source IP in specific time slot. It is primarily intended for SSH, though in principle it can be used for any TCP protocol, for example: FTP, SMTP, IMAP, etc. .

Users may find the adaptive-ban plugin a better solution for SSH.

time-schedule-host-block

Note: this plugin is not available until AstLinux 1.1.2 and later.
This plugin selectively blocks outgoing connections by MAC or IP address based on a local time schedule and day-of-week. Useful for blocking guest WiFi access during off-hours, children's curfew, etc. .

traffic-shaper

Automatically Enabled, additional configuration may be necessary.
This plugin will shape traffic using either htb or hfsc. It borrows heavily on the logic of Maciej Blizinski's original script, with some minor changes to the actual bins how traffic is classified. Additionally htb support from Kristian Kielhofner's astshape (similar to wondershaper) in much earlier AstLinux is implemented. Classification by DSCP class is automatically performed.

In most cases, it is recommended to enable this plugin via the Firewall tab of the web interface, start by choosing htb as the type.

transparent-dnat

This plugin enables transparent DNAT for internal hosts for certain ports, meaning you can redirect certain TCP/UDP ports (eg. HTTP) which should be redirected from a certain INET address to an internal address.